Technical Report. On the anonymity of anonymity systems. Andrei Serjantov. Number 604. October Computer Laboratory UCAM-CL-TR-604 ISSN

Transcription

1 Technical Report UCAM-CL-TR-604 ISSN Number 604 Computer Laboratory On the anonymity of anonymity systems Andrei Serjantov October JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone

2 c 2004 Andrei Serjantov This technical report is based on a dissertation submitted March 2003 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Queens College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: ISSN

3 On the Anonymity of Anonymity Systems Andrei Serjantov Summary Anonymity on the Internet is a property commonly identified with privacy of electronic communications. A number of different systems exist which claim to provide anonymous and web browsing, but their effectiveness has hardly been evaluated in practice. In this thesis we focus on the anonymity properties of such systems. First, we show how the anonymity of anonymity systems can be quantified, pointing out flaws with existing metrics and proposing our own. In the process we distinguish the anonymity of a message and that of an anonymity system. Secondly, we focus on the properties of building blocks of mix-based ( ) anonymity systems, evaluating their resistance to powerful blending attacks, their delay, their anonymity under normal conditions and other properties. This leads us to methods of computing anonymity for a particular class of mixes timed mixes and a new binomial mix. Next, we look at the anonymity of a message going through an entire anonymity system based on a mix network architecture. We construct a semantics of a network with threshold mixes, define the information observable by an attacker, and give a principled definition of the anonymity of a message going through such a network. We then consider low latency connection-based anonymity systems, giving concrete attacks and describing methods of protection against them. In particular, we show that Peer-to-Peer anonymity systems provide less anonymity against the global passive adversary than ones based on a classic architecture. Finally, we give an account of how anonymity can be used in censorship resistant systems. These are designed to provide availability of documents, while facing threats from a powerful adversary. We show how anonymity can be used to hide the identity of the servers where each of the documents are stored, thus making them harder to remove from the system. 3

4 4

5 Contents 1 Introduction Privacy and Anonymity Uses of Anonymity Web Browsing and Electronic Voting Censorship Resistance Structure of the Thesis Contributions of the Thesis Publication History The Basics of Anonymity Systems Background and Historical Developments Terminology Unlinkability via Mix Systems Basic Properties of Chaum s Construction Threat Models More on Mix Systems Cascades vs Networks The (n 1) Attack Message-based Systems for Anonymous Open Problems

6 2.5 Anonymous Web Browsing Attacks and Open Problems Other Schemes Related Work Crowds Dining Cryptographers Networks Buses Location Privacy Summary Measuring Anonymity Previous Work: Anonymity Sets Anonymity Sets in Dining Cryptographers Networks Anonymity Sets in Stop-and-Go Mixes Standard Terminology Anonymity Sets Difficulties with Anonymity Set Size The Pool Mix Knowledge Vulnerability Entropy Analysis of the Pool Mix What is Anonymity? Related Work Summary Active Attack Properties of Single Mixes Blending Attack Taxonomy Simple Mixes Threshold Mix Timed Mix Threshold-Or-Timed Mix

7 4.2.4 Threshold-And-Timed Mix Pool Mixes Threshold Pool Mix Timed Pool Mix Timed Dynamic-Pool Mix (Cottrell Mix) Related Work Limitations of Stop-and-Go Mixes Other Work on Batching Mixes Deployed Mixes Summary Generalising Mixes and the Binomial Mix Expressing Mixes as Functions Extensions Arising Out of the Framework Adding Randomization: The Binomial Mix Blending Attack on the Binomial Mix Related Work Summary From Mixes to Mix Networks The Mix Network Formal Representation of the Mix Network Mix Network State Formal Representation of the Mix Network State Mix Network Dynamics Formal Representation of the Mix Network Dynamics Attacker Observations of the Mix Networks Formal Representation of the Attacker Observations Defining Labels Observable by the Attacker

8 6.8.2 Defining Traces Attacker Observations Erasing the Trace Calculating the Anonymity Probability Distribution Calculating the Anonymity Probability Distribution Formally External Receive Events Scenario Anonymity Calculating Anonymity a Simple Example Commentary and Model Design Choices Related and Future Work Summary On the (non)-anonymity of Connection-based Systems Introduction Systems and Usage Threat Models Analysis: Lone Connection Tracking Mean-based analysis Definitions Simulator Results Protection Analysis: Connection-start Tracking Working with Richer Traffic Features Discussion and Solutions Related Work Summary

9 8 Anonymity and Censorship Resistance Introduction System Description Publishing Retrieval Commentary on the Protocol Replication Forwarders Encryption of Shares Decrypters Discussion Related and Future Work Summary Conclusion and Future Work Future Directions Concluding Remarks A Variable Conventions 151 9

10 10

11 Chapter 1 Introduction Praise the humanities, my boy. That ll make them think you are broadminded. Winston Churchill s advice to R. V. Jones (who had just been appointed as Professor of Physics) 1.1 Privacy and Anonymity Privacy is viewed by many, if not most, as a desirable feature of modern society. Naturally, there is no complete consensus as to the definition of privacy, although there are a few popular alternatives. Roger Clarke suggests that Privacy is the interest that individuals have in sustaining a personal space, free from interference by other people and organisations [Cla99]. An alternative definition from the Oxford English Dictionary is Privacy is the the state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; freedom from interference or intrusion. What will be of a particular interest to us is the notion of communications privacy: Individuals claim an interest in being able to communicate among themselves, using various media, without routine monitoring of their communications by other persons or organisations. This includes what is sometimes referred to as interception privacy [Cla99]. In this thesis we will be looking at a modern communications infrastructure the Internet and examining how individuals can use it to communicate privately. Whenever one communicates using the Internet, one leaves tracks which identify where the message (packet) came from and was going to. To be more specific: every message, every access to a web page, every file download contains information as to which IP address the came from, or which IP address requested the web page, 11

12 or downloaded the file. IP addresses are allocated to individuals or companies by their Internet Service Providers (ISP), who keep this information and thus ensure that it is possible to track every Internet communication down to an individual or at the very least an organisation 1. Naturally, some IP addresses are more linkable to individuals than others; there are practical steps one can take to make oneself more or less traceable. Using an Internet cafe is a good example, though some countries require users in such establishments to present their identity cards or simply mount surveillance cameras on the premises. Whether one can become practically untraceable by taking steps to cover one s tracks is a subject of a PhD in its own right [Cla04]. Here, we are merely concerned with the situation of the average individual. His communication privacy is virtually non-existent: every packet travelling on the Internet contains its sender and receiver, any part of the communications infrastructure that it travels through (routers, switches, firewalls) can determine who is communicating to whom and (usually) what they are saying, hence enabling easy routine monitoring and surveillance of communications by governments, companies and even individuals in charge of parts of the infrastructure. It may be worthwhile to contrast this scenario with that of a person heckling from the back of a crowd, posting an anonymous letter or making a phone call from a telephone box, where privacy is more or less preserved. And yet there are many cases when, on the Internet, communications privacy is not merely desirable, but essential. For instance, a web-based electronic survey connected with subjects such as AIDS, alcoholism, cancer, etc needs to make sure that even the very fact that an individual is responding to such a survey is kept secret from third parties. Failure to do so can be damaging to the individual (it may increase insurance premiums, cause price discrimination, social tension, etc). Currently, the fact that an individual has accessed the survey can be trivially obtained by a system administrator of the company the individual works for, the ISP, and in some cases even another user of the same network. The current solution is to trust the agency doing the survey to anonymize the results, and the communications infrastructure not to collect data about who is responding to the survey. In reality, the arrangement is often open to abuse: commonly results of surveys are sent in plaintext over the Internet and thus it is possible to see not only who responds to the survey, but also what their responses are. Thus, using the Internet as a basic medium of communications means that, by default, privacy is destroyed. Protecting it should ensure: Secrecy of the contents of private communications, the inability of third parties 1 Thus, some countries have taken the view that access logs (in particular, web server access logs) constitute personal information. Hence, data protection legislation requires that companies take due care of such information and, upon request, provide access to the individual who browsed the website. 12

13 to read what is being said in private. Anonymity of such communications, the inability of third parties to determine the participants of private communications. Secrecy of communications is relatively easy to achieve by using one of a wide variety of tools (e.g. PGP [PGP]) employing well-known encryption techniques [RSA78, RSA02, AES01, DR02]. Anonymity of communications is independent from their secrecy: an message may be encrypted, but it will be obvious that it is going from Alice to Bob; on the other hand, it may be possible to hide the fact that a message is going from Alice to Bob without hiding its contents: Meet at 10am on Red Square. Hence, to even begin to develop an environment in which communications privacy can be preserved, there is a need for a communications infrastructure (on top of existing Internet protocols) which allows information to be transmitted from one party to another without revealing either their identity or the nature of the communication. In other words, we need to build an infrastructure to enable anonymous communications on the Internet. The infrastructure may comprise several application-specific anonymous communication systems or anonymity systems, e.g. for and web browsing 2. Anonymity systems, due to their various requirements and depending on user actions, will provide different degrees of anonymity. Working out precisely how much is the focus of this work. The thesis that this dissertation aims to support is that analysis of anonymity systems is feasible, necessary and somewhat practical. A broader consequence of the work is that systems providing different desirable degrees of anonymity on the Internet, each with an associated cost, are a practical option rather than a theoretical possibility. To analyse anonymity systems, we must first find an appropriate way of quantifying anonymity and then try to work out the anonymity in situations of interest. However, trying to calculate directly the level of anonymity of a user sending an or retrieving a webpage via an anonymity system is far too difficult such systems are very complex. Instead, we will build models of these systems along with ways to calculate anonymity from these models. In some cases this will enable us to calculate the anonymity analytically, in others this will prove too difficult and we will have to resort to simulations. The anonymity of individuals using various system designs will necessarily depend on what the anonymity systems are designed to protect against, i.e. how powerful 2 On top of an anonymous communications infrastructure we can build up an appropriate identification and authentication infrastructure as necessary. 13

14 the disturber, the intruder, or the interfering body may be. How should we decide who to design our anonymity system against? There are several possible approaches. The first approach is to decide which kinds of intruders we want to protect the users against and how much anonymity they should have first, and then design and build anonymous infrastructure keeping this in mind. Our analysis techniques should then enable us to show that the systems do indeed meet the requirements. The other approach is to investigate how much anonymity it is possible to provide users with first, and make a decision as to how much anonymity to actually provide users with later. In this thesis we follow the second approach: we will design anonymity systems which are as strong as possible, and thus resist very powerful attackers. Having investigated stronger attack models, we will be in a better position to design and build systems tailored to specific anonymity requirements when such a need arises. It is appropriate to note at this point that privacy conflicts with the ability of law enforcement agencies to obtain evidence of communications of suspects who may or may not have committed a crime. So how much privacy should users have? This is an ongoing debate, to which we wish to make no contributions in this work. We merely note the fact that it may be possible to modify anonymity systems to provide anonymity which is revocable on a case by case basis [CDG + ]. Thus the ideas presented in this thesis do not depend on the outcome of the privacy vs law enforcement debate. So far we have considered generic user privacy as the main motivation for the design, development and deployment of anonymity systems. In the next section, we look at the motivation behind providing anonymity to users in more detail, keeping the generic communications privacy idea in mind. 1.2 Uses of Anonymity Web Browsing and The most popular uses of the Internet over the last few years have been and web browsing. Therefore, to ensure communications privacy, we should build an anonymity infrastructure to enable users to perform these activities free from intrusion by various attackers. We have already illustrated the motivation for anonymous web browsing with the electronic survey example in the previous section. There are many other similar scenarios browsing websites about specific illnesses or disorders, reading political opinions, etc. 14

15 Turning to anonymous , we claim that just as in the past correspondence between individuals by mail has been free from routine surveillance both in terms of content and participants, so should be correspondence by . This may include s about families, work, the advantages and disadvantages of products or services provided by various companies, political speech and other subjects which are potentially of interest to parties which are not involved in communication. Another important application of anonymous is whistle blowing. Essentially, this is the ability of an individual to report a wrongdoing and thus expose an irregularity or a crime, often by a person in charge or simply someone with authority over the whistle blower. Clearly, one way to enable whistle blowing is to have a very secure ( ) anonymous communications system deployed, thus enabling anyone to send a message relatively easily without fear of being tracked. Finally, both anonymous and anonymous web browsing can be used to distribute news and hold online discussions without fear of surveillance in countries with repressive regimes Electronic Voting Electronic voting is often viewed as a good application of anonymity. One fundamental requirement of an electronic voting system is to ensure that it is not possible to determine who votes for whom. Another is is to ensure that the votes are receiptfree, i.e. the voter is unable to prove to a third party which way they voted. This is necessary to prevent votes from being sold. E-voting is a very contentious area with some experts believing that it is currently technically infeasible to provide a secure system with strong anonymity properties in order to guarantee that an election is conducted fairly. Certainly the vast majority of the deployed systems have major shortcomings in their security, user interfaces, or reliability [Mer03, KSRW03]. Nevertheless, if electronic voting systems are ever to be deployed, they will probably need to use the same techniques as anonymity systems Censorship Resistance Censorship resistance is the ability to publish a document on a system which ensures that it will be available for a long time, despite powerful adversaries trying to prevent its distribution. Anonymity is a useful tool in censorship resistant systems. It enables publishing to be done anonymously, so the author cannot be tracked (thus removing the fear element which often discourages people from posting controversial documents). Even more importantly, it prevents the machines which store a file from knowing what the file they are storing is, thus removing potential burden of filtering 15

16 that may be placed on them by organisations. We explore this issue in more detail in Chapter Structure of the Thesis Having shown the motivation for anonymous communication infrastructures in the previous section, we will first examine the basic principles behind achieving anonymity. In Chapter 2 we introduce the scheme commonly used to build strongly anonymous communication systems, basic concepts such as mixes and onion encryption, and discuss the different architectures of anonymity systems. We then distinguish two basic types of anonymity systems ( ) message-based systems and realtime connection-based systems. We look at existing designs and the shortcomings of previous work; and set the scene for our research. We then go on to examine the problem of measuring anonymity (Chapter 3), and by way of example show how the anonymity of two mixes can be compared. In Chapter 4 we turn our attention to message-based systems. We look at individual mixes the building blocks of anonymity systems focusing in particular on how resistant these are to the powerful blending attacks. These are active attacks which involve the adversary flooding the mix with his own messages in order to single out a message he wants to trace and thus deduce its destination. In the next chapter, we continue analysis of single mixes, and devise a framework in which they can be expressed and compared and propose yet another mix, the binomial mix, with better properties. Analysing single mixes is useful, but a strong anonymity system should consist of several mixes. The mixes can be combined in various ways. One of these is a mix network. In Chapter 6 we look in detail at how one would go about analysing an anonymity system based on a mix network architecture and provide a formal definition of the anonymity of a message going through such a system. Next we look at connection-based systems, the attacks on them and how they can be protected against without using dummy traffic. In particular, we look at the attacks which a passive adversary can mount. Finally, we look at how anonymity systems can be used to improve censorship resistant systems. The meaning of various variables in Chapters 3-7 of the thesis is summarised in Appendix A. 16

17 1.4 Contributions of the Thesis In this work we strive to introduce the idea of quantitative probabilistic analysis of anonymity systems. In the process, we make the following contributions: First, we look at the concept of anonymity set the metric used in most previous analyses of anonymity systems and show that it is inadequate for expressing the anonymity of a large class of real anonymity systems. We propose our own metric and show how it can be used in analysing single mixes the building blocks of anonymity systems. We give an account of the n 1 attack which can be mounted by a powerful adversary and was thought to defeat anonymity systems. We show how this attack can be made much more observable and expensive by using more sophisticated mixes. This result quantitatively supports the intuition of the designers of the Mixmaster network. We present a framework in which existing mixes can be expressed, and design a new mix which is more resistant to blending attacks. We present methods of anonymity analysis for a variety of single mixes. We tackle the long-standing problem of choosing the best architecture cascade or network for an anonymity system. While mix cascades are easy to build and analyse, they scale badly and are more easily subjected to n 1 attacks. Mix networks, on the other hand, are hard to analyse, but were thought to have better properties (and scale well). We define the anonymity of a message travelling through a mix network and thus make substantial progress towards solving the mix cascade vs mix network problem. We also look at connection-based systems, which are designed to provide lowlatency anonymous communication. Some of these can be used for everyday tasks such as web browsing [DMS04, FM02], while others are more specialised; addressing anonymous file sharing [BG03]. There are several implementations of these, with the most popular of these, JAP, having tens of thousands of users. Astonishingly, virtually none of these (except, perhaps, Crowds [RR97, WALS02, Shm03]) have a rigorous analysis of the anonymity they provide, with some (GNUnet) lacking even a consistent description of the system itself. We refine the standard threat model (this has been long overdue!) and present very simple attacks which can be used against most of the existing systems and propose ways of protecting against them. Unlike the relatively mature area of analysis of message-based anonymity systems, connection-based systems are very much in need of analysis, and we merely scratch the surface here. Finally, we look at censorship resistant systems and show an anonymity system 17

18 can be used to help design a Peer-to-Peer architecture which protects against rubber-hose cryptanalysis, previously thought to be hard or impossible. 1.5 Publication History The vast majority of the material presented in this document has been published in proceedings of peer-reviewed workshops or conferences. Some of Chapter 3 is based on the paper Towards an Information Theoretic Metric for Anonymity, [SD02] coauthored with George Danezis. This paper won the 2002 Award for Outstanding Paper in the field of Privacy Enhancing Technologies. The material of Chapter 4 is a selection of the work presented at the 5th Information Hiding Workshop in the paper From a Trickle to a Flood: Active Attacks on Several Mix Types [SDS02] coauthored with Roger Dingledine and Paul Syverson and at the Workshop on Privacy and Anonymity Issues in Networked and Distributed Systems On the Anonymity of Timed Pool Mixes [SN03] with Richard E. Newman. Chapter 5 is based on work published at PET 2003 Generalising Mixes [DS03b] with Claudia Diaz. Work on the anonymity of mix networks is yet to be submitted at the time of writing. Our thoughts on connection-based systems of Chapter 7 were published at ESORICS 2003 Passive Attack Analysis for Connection-Based Anonymity Systems [SS03] coauthored with Peter Sewell, and the work on censorship resistance was presented at the International Workshop on Peer to Peer Systems, 2002 Anonymizing Censorship Resistant Systems [Ser02]. Naturally, all the material presented is the author s contribution towards these publications or material which has been discovered independently by more than one person. Not all the work of the author during the 3 years at Cambridge appears in this thesis some was not related to analysis of anonymity systems [SSW01a, SSW01b, WNSS02, SL03], while other work [NMSS03] was too collaborative. The thesis was written as of October 2003, and does not include references to work (both my own and by other people) carried out since. 18

19 Chapter 2 The Basics of Anonymity Systems ZHQM ZMGM ZMFM 1 G. Julius Caesar In this chapter we introduce some basic mechanisms designed to provide anonymity on the Internet, looking at threat models and basic terminology. We leave the technical definitions of anonymity until Chapter 3, where we will have the chance to examine them in more detail. 2.1 Background and Historical Developments To design effective anonymity systems we need to consider how real users wish to communicate on the Internet. The two most popular activities of users on the Internet are and web browsing. Thus, research in the anonymity community has focused upon how to design, build and deploy systems which enable anonymous and anonymous web browsing. It is important to notice that whatever the way the users are communicating, they may well be concerned about hiding different aspects of their communication patterns, all of which would fall under the general term anonymity. First of all, users might wish to be undetectable when they send messages (or initiate communications) through the anonymity system. Alternatively, they might be very 1 W and J were added to the Latin aphabet in the middle ages. Although there is some uncertainty as to when the letters Y and Z were introduced into the Latin alphabet, it has been previously suggested that they were already present at the time of Caesar[And]. 19

20 worried about being observed to receive information from within the system. Finally, they might be quite happy about being observed to send information and receive information as long as it is hard to tell who the other communicating party is in either case. The natural question to ask now is who they might want this information hidden from. The attacker could be local observing the network connection between the user and the Internet, larger the user s ISP, observing some part of the network, including parts of the anonymity system or global observing the entire anonymity system and all the communications between the users and it. In addition, a powerful attacker would probably compromise parts of the anonymity system to try to deanonymize its users. Finally, an attacker can be actively trying to compromise anonymity either by modifying network traffic (and thus potentially being observable) or passively, offline, having previously captured the data required. The development of anonymity systems started with a paper by Chaum in 1981 proposing a scheme for untraceable electronic mail [Cha81]. This is the basis of most modern anonymity systems, as we will discuss in detail below. Seven years later, Chaum proposed a protocol (Dining Cryptographers) for anonymous broadcast which was designed to hide the sender of the message [Cha88]. Pfitzmann and Pfitzmann made substantial improvements to it in 1990 [PP90]. The next significant development was a proposed scheme to anonymize telephone calls based on the (at the time) new ISDN infrastructure ISDN mixes [PPW91]. It identifies many of the important and difficult problems of the field of anonymity systems and addresses them in the context of circuit-switched networks. In the early 1990 s the first practical anonymity systems inspired by Chaum s work started appearing the Type I r ers. These were vulnerable to a number of attacks (broadly, the ones described in Section 2.3.3), which was fixed in the Type II r er design [MCPS03, Cot94]. The network of Type II r ers, Mixmaster [Mix], is operational and handles tens of thousands of s per day. This system, however, lacks the ability to reply to anonymous . After all, if the user receives an anonymous , he does not know who to reply to. The scheme for anonymous reply addresses dates back to the original Chaum paper [Cha81], but has proved hard to implement securely. Indeed, the first system to do so is the recent Mixminion, [DDM03]. The first developments in anonymous web browsing began with the Onion Routing project [OR], although simple HTTP proxies appeared around the same time. In recent years, many projects have appeared, most notably JAP [JAP], Tarzan [FM02] and MorphMix [RP02] (the last two are based on a Peer-to-Peer design). More recently, the field has turned to robust implementation and quantitative (often probabilistic) analysis of anonymity systems. The Onion Routing and JAP projects are good examples of the former, while a series of papers by Danezis [Dan03b, Dan03c], 20

21 Diaz [DSCP02], Shmatikov [Shm03], Wright [WALS02, WALS03] and myself are representative examples of the latter. 2.2 Terminology Before describing any concrete ways of achieving anonymous communication, we introduce by example some standard terms which are useful in describing anonymity systems. We broadly follow the proposal of terminology by Pfitzmann and Köhntopp [PK00]. Let us first consider a multi-party asynchronous communications protocol in which participants send messages to each other. Some of these messages are real, i.e. contain information which the sender of a message wanted to transmit to the receiver of it. The aim of the attacker or the adversary is to discover senders and receivers of these messages 2. Other messages, called dummy messages (or just dummies), do not contain information and are just sent to confuse the attacker. After some time (a run of the protocol), some real messages were sent by the senders and received by the receivers. The protocol provides sender untraceability (unobservability) if the adversary is not able to determine whether a particular participant has sent any real messages or not (see Figure 2.1). On the other hand, if the attacker is unable to determine whether a particular participant has received any real messages or not, the protocol provides receiver untraceability (see Figure 2.2). A very strong protocol might provide both sender and receiver untraceability. Finally, if the set of senders and the set of receivers is known, but the attacker cannot determine which of the senders sent messages to which of the receivers, the protocol provides unlinkability. Note that unlinkability is weaker than both sender untraceability and receiver untraceability. The above definitions apply to synchronous protocols as well as asynchronous ones. In the synchronous case, messages correspond to the communications, senders to initiators of the communications and receivers to responders. In this thesis we will be dealing mainly with systems which provide unlinkability. A diagram of such a system is shown in Figure 2.3. There are two styles of attack that the adversary can perform on such systems (see Figure 2.4). Broadly, a traffic confirmation attack is one in which the adversary only examines the communication patterns from senders to the system and from the system to the receivers. A traffic analysis attack, on the other hand, also takes into 2 Of course, sophisticated attackers may not need to discover this with certainty, they may be content with information about the correlation between senders and receivers. 21

22 Sender Untraceability PSfrag replacements Receivers Senders and Other Participants Figure 2.1: A system which provides only sender untraceability as seen by the adversary. Receiver Untraceability PSfrag replacements Senders Receivers and Other Participants Figure 2.2: adversary. A system which provides only receiver untraceability as seen by the Unlinkability PSfrag replacements Senders Receivers Other Participants Figure 2.3: A system which provides unlinkability as seen by the adversary. 22

23 Traffic Analysis vs Traffic Confirmation Attacks Senders Receivers PSfrag replacements Traffic Confirmation Traffic Analysis Figure 2.4: A traffic confirmation attack examines only the communications between the senders and the anonymity system and the anonymity system and the receivers. A traffic analysis attack also makes use of traffic patterns within the anonymity system. account the traffic inside the anonymity system. The latter style of attack is usually more powerful but requires more computational resources as well as more data. Having equipped ourselves with some terminology, let us look at, perhaps, the most practical way of achieving anonymity (more specifically unlinkability) mix systems. 2.3 Unlinkability via Mix Systems As we already mentioned, the field of anonymity was started with a classic paper by Chaum [Cha81] which introduces the concept of a mix system and explains how a message (think of an message) can be sent from a sender to a recipient via several proxies, thereby providing unlinkability against an attacker who watches the entire network. The following may serve as a useful analogy for how these systems operate. Sarah, (the sender) having written her letter, puts it into an envelope and addresses it to Richard (the receiver). She then puts it in an envelope addressed to a friend Nick with a note asking him to post the envelope. She then takes the envelope addressed to Nick, and puts it in an envelope addressed to Mike, with a similar note. Finally, she sends the (by now large) envelope to Mike. Mike and Nick work at two different post offices and get many letters asking them to forward inner envelopes every day. They receive all the letters addressed to them at the post office, take them home, unwrap all the envelopes during the night, and post all the inner envelopes the next day. Thus even Amy, the boss at the central post office who records the sender and 23

24 PSfrag replacements Message R N R N M {{Message} kr, R} kn, N} km M#k R R#k N N#k M Figure 2.5: Onion encryption shown diagrammatically and in two standard notations recipient of every letter (but cannot see what Mike and Nick do at home) cannot tell that Sarah sent her letter to Richard. We are not aware of a permanent post office processing general purpose mail which operates in this way in the real world, though apparently the town of Loveland, Colorado performs r ing services similar to the ones described above for Valentine s day every year! In any case, the above description corresponds fairly well to how a mix system works. This is explained in more detail below. The system which provides an anonymous service consists of a number of r ers or mixes. A sender S wishing to send an anonymous message to a receiver R decides on a sequence (e.g. [M, N]) of anonymous r ers (mixes) via which the message should travel. Each r er has a public/private keypair 3 ; the public keys are retrieved by the senders in advance. The sender prepares the message by padding it to B bytes a size used by all senders and, if R has a public key, encrypting the padded message with it. She now appends the address of R, encrypts with N s public key, appends the address of N, encrypts with M s public key, and finally sends the whole structure to M. The structure, now commonly called an onion (the name is apparently due to Syverson [GRS96]) is illustrated in several different notations from [Cla03] in Figure 2.5. When the onion is sent to the first mix (run by Mike), M, it is decrypted, and placed inside the mix. A flushing algorithm is then executed to decide whether to send on (some of) the messages inside the mix. The simplest example of a flushing algorithm is waiting until n messages are in the mix before reordering them and sending them all out to their next hop. A mix executing such an algorithm is called a threshold mix (we will go on to investigate other flushing algorithms in Chapters 4 and 5). When the message does leave the mix, it will be forwarded to the next mix (N, run by 3 The reader who is not familiar with public key encryption, is advised to refer to a standard textbook on computer security, e.g. [And01]. 24

25 PSfrag replacements Data R R N N M Data R M R N Data N R Figure 2.6: A message travelling through anonymous r ers Nick), and so on backwards along the sequence of mixes chosen by the sender (in our example just [M, N]), and eventually to the receiver R. This is illustrated in Figure 2.6. Note that when passing through every mix, as far as the attacker can see, the message was confused with several (n in the case of the threshold mix) others. Of course, if the mix is compromised by the attacker, i.e. the attacker has the private key of the mix, no confusion is created. This is more or less the scheme proposed by Chaum in [Cha81]. Alternative schemes, are examined in Section Basic Properties of Chaum s Construction We now give an account of the basic properties of Chaum s construction. 1. First of all, it provides bitwise unlinkability between inputs and and outputs of a mix. By this we mean that an attacker who is watching the input and the output channels of a mix (but does not know its private key) cannot correlate incoming and outgoing messages just by looking at the bits which comprise the messages. 2. Secondly, it provides bitwise unlinkability against any pair of non-consecutive (in the sequence) collaborating mixes. Thus, if the first and the last mix decide to collaborate, they cannot tell which of the messages processed by the first mix corresponds to which of the messages processed by the last just by looking at the bit sequences comprising the messages. It is interesting to note that the onion construction is not necessary to provide bitwise unlinkability between inputs and outputs of a mix. Instead, Sarah (the sender) could simply encrypt the message with a key she shares with Mike (the first mix). Mike, upon receiving the message, decrypts it and encrypts it with a key he shares with 25

26 Nick, etc until the message arrives at Richard 4. The reason why onion encryption is used in mix systems is to provide bitwise unlinkability against collaborating mixes. It should be noted that the scheme provides bitwise unlinkability against active attackers as well as passive ones. Should an attacker try to change the message (and propagate this change through some mixes), in an attempt to discover where this message goes, anonymity should be preserved. This is done automatically by the mixes in the scheme described above: if the message was changed in transit, the mix which receives it will not be able to decrypt it correctly and, thus, will have no option but to discard it. Hence unlinkability is not compromised. In real anonymity systems, much more care has to be taken to defend against these attacks [DDM03] as there, for efficiency reasons, only the header of the message is encrypted with the public key Threat Models Now that we have seen something of how mix systems work, let us examine the threat models against which they are designed to protect. There are several main threat models that anonymity researchers consider. Some of them will be considered in more detail later in this thesis. 1. The global passive attacker. This is, perhaps, the most common threat model in the literature. The adversary is able to observe (but not modify) all network traffic, and is unable to see inside any of the mixes. 2. The global active attacker. This adversary is able to observe and modify all network traffic. In particular, he is able to inject an arbitrary amount of traffic into the system in a very short time and delay traffic for an arbitrary length of time. 3. The global passive attacker with many compromised mixes. This is a very strong attacker model used by, for instance, Berthold, Pfitzmann and Standtke in [BPS00]. The only requirement is that there is at least one honest (uncompromised) mix on the path of the message in question 5. Recall that by compromised we mean that the attacker knows the private key of the mix or can otherwise determine the correspondence between the incoming and the outgoing messages of the mix. If the attacker is the superuser on the machine running the mix, he is an active attacker. 4 The mixes need not see the message itself either Sarah could encrypt it with Richard s public key. 5 The serious problem with this threat model is that it relies upon the user magically choosing a route through at least one honest mix, or suffering the consequences if all the chosen mixes are compromised. 26

27 4. The global active attacker with many compromised mixes. A combination of the latter two threat models. 5. A sub-global attacker This is a large class of attackers that have the ability to monitor some links in the anonymity system, and possibly have some of their own nodes forwarding traffic. All the real attackers almost certainly fall into this category. However, it is difficult to pin down precisely what a real attacker might look like within this class. At this point it is appropriate to introduce some more terminology. The adversary is sometimes interested in compromising the anonymity (unlinkability) of a single message (e.g. the message from sender to the first mix or from the last mix to the receiver); we call it the target message. When we say compromising unlinkability we mean determining (or at least establishing some correlation between) the sender and the receiver of this message. We leave a detailed account of quantifying anonymity till Chapter 3. In addition to the capabilities described above, each attacker may have some additional knowledge about what happens in the system. For instance, if we consider some run of a system, he might also know facts like a message which arrived at R (hopefully this was not the target message!) was sent by A or, a message which arrived at R was not sent by B or C. Such knowledge might arise, for example, if the message to R was written in Mongolian and we definitely knew that neither B nor C had learnt Mongolian. The basic construction described in Section 2.3 already provides unlinkability against the global passive attacker. However, we need to understand the scheme in more detail to consider whether it protects against some of the more powerful adversaries More on Mix Systems In just giving Chaum s basic construction we omitted many details which are important to ensure that the system provides anonymity and some choices available to designers of anonymity systems. We will now briefly mention some of these. Let us first of all recall that Sarah s message travelled through Mike s and Nick s r ers before reaching Richard. How were these r ers chosen? This is one of the most important questions in the design of anonymity systems, and various systems have dealt with it differently. Some do not allow any choice of routes at all. All messages have to travel via the same sequence of mixes (route). Such a system is called a mix cascade. A mix network on the other hand, allows users to choose their routes through the network. A free route mix network allows users to choose arbitrary routes (via any sequence of available nodes) while in a restricted route mix 27

28 network, users are somewhat constrained. This design choice has many implications for the rest of the anonymity system. Note, for instance, that messages will decrease in size when they travel through a mix. Thus, in the mix network as presented above, messages would only be confused with other messages of the same size. More precisely, message µ would only be confused with message µ at mix M if µ and µ are to pass through the same number of mixes after M. To ensure that all messages passing through a mix get mixed together, we need each mix to add a certain amount of padding (random bits) to make all messages the same size. Naturally, all the contents of messages must also be the same size as we mentioned previously. In a mix network, we must also make sure that mixes do not know their position within the sequence the message is travelling through. Otherwise, a strong attack (by the global passive adversary with many compromised mixes) is possible. See [BPS00] for details. Yet another attack is based on replaying messages. A global active adversary wants to trace a message travelling through a mix. To do this, he first records all the incoming and outgoing messages to this mix. He then takes the incoming message he wants to trace and sends it to the mix again. The mix flushes, and then if the attacker compares the outgoing messages from the mix to the ones he has recorded before, he will get exactly one match he knows that this is the reinserted message. He can now see where this message is going. Protection against this attack is easily possible by including timestamps in messages and storing details (more precisely cryptographic hashes) of the messages which have been seen in the last few days. Indeed modern mixes (e.g. Mixminion, [DDM03]) ensure that any replayed messages will be discarded automatically Cascades vs Networks As we have seen in the previous section, the architecture of a mix system affects other choices in the design. Here we examine the properties of mix networks and mix cascades slightly more deeply in order to motivate some of the work presented in the later chapters of the thesis. Mix cascades These are relatively easy to analyse. For instance, if a cascade is made up of threshold mixes with threshold n, it is clear that each message is mixed with n 1 others. It is also clear that if one of the mixes in a cascade stops working, so does the entire cascade. Finally, we note that the scalability of a mix cascade is entirely limited by the scalability of the machines on which the mix software is run. On the other hand, a mix cascade maintains a level of anonymity against a 28

29 global passive attacker with many compromised mixes 6 [BPS00]. In other words, as long as one mix remains uncompromised, some anonymity is achieved. Indeed, if we consider a mix cascade made up of threshold mixes with threshold n, then even if all the mixes but one are compromised, the anonymity provided by the cascade is not reduced 7. Mix networks Mix networks are much harder to analyse. First of all, their properties are heavily dependent on how routes are chosen. This is often done by the users, which are hard to model. Nevertheless, it is clear that the scalability and reliability of mix networks are better than that of cascades, though these properties have not been rigorously quantified or compared. Finally, quantifying the anonymity that a mix network provides has proved elusive for several years. In this thesis we make considerable progress towards this goal. An efficient way of calculating the anonymity of a mix network would enable us to look at properties of mix cascades and mix networks and make a detailed comparison. It has generally been considered that mix networks are secure against the global passive attacker; though it has been shown in [BPS00] that they are not secure against the global passive attacker with many compromised mixes. The reader may find the above statements odd what is secure in the context of an anonymity system? What we mean by an anonymity system is secure against X is that the adversary X does not significantly reduce the anonymity of the system from that which it was designed to provide. Or, more simply (though more subjectively), a significant amount of anonymity is maintained against threat model X The (n 1) Attack One strong attack, which is still subject of ongoing research, is the n 1 attack. Consider a threshold mix which flushes when n messages have arrived. If, of the n messages in the mix, n 1 come from the attacker (and are therefore recognisable to him at the output), he can deduce the remaining message and observe where it has gone to. This is a very powerful attack; one can seemingly do little to protect against it. Indeed, most methods try to reduce it to a denial of service attack in which the system stops working, without anonymity being compromised. Alternatively, one can try to make the attacker as observable as possible. We explore this subject in much more detail in Chapter 4. 6 As long as no n 1 attacks (see Section 2.3.5) are possible. Methods of protecting cascades against this attack do exist, see, for instance, the first part of the Stop-and-Go mixes paper [KEB98]. 7 Although we have not examined this in detail, it is likely that the anonymity provided by a cascade of more sophisticated mixes, e.g. pool mixes, does go down as the number of compromised mixes goes up. Of course, it never goes down below the anonymity of a single pool mix. 29